http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone
By Thom Holwerda
osnews.com
12th Nov 2013
I've always known this, and I'm sure most of you do too, but we never
really talk about it. Every smartphone or other device with mobile
communications capability (e.g. 3G or LTE) actually runs not one, but two
operating systems. Aside from the operating system that we as end-users
see (Android, iOS, PalmOS), it also runs a small operating system that
manages everything related to radio. Since this functionality is highly
timing-dependent, a real-time operating system is required.
This operating system is stored in firmware, and runs on the baseband
processor. As far as I know, this baseband RTOS is always entirely
proprietary. For instance, the RTOS inside Qualcomm baseband processors
(in this specific case, the MSM6280) is called AMSS, built upon their own
proprietary REX kernel, and is made up of 69 concurrent tasks, handling
everything from USB to GPS. It runs on an ARMv5 processor.
The problem here is clear: these baseband processors and the proprietary,
closed software they run are poorly understood, as there's no proper peer
review. This is actually kind of weird, considering just how important
these little bits of software are to the functioning of a modern
communication device. You may think these baseband RTOS' are safe and
secure, but that's not exactly the case. You may have the most secure
mobile operating system in the world, but you're still running a second
operating system that is poorly understood, poorly documented,
proprietary, and all you have to go on are Qualcomm's Infineon's, and
others' blue eyes.
The insecurity of baseband software is not by error; it's by design. The
standards that govern how these baseband processors and radios work were
designed in the '80s, ending up with a complicated codebase written in the
'90s - complete with a '90s attitude towards security. For instance, there
is barely any exploit mitigation, so exploits are free to run amok. What
makes it even worse, is that every baseband processor inherently trusts
whatever data it receives from a base station (e.g. in a cell tower).
Nothing is checked, everything is automatically trusted. Lastly, the
baseband processor is usually the master processor, whereas the
application processor (which runs the mobile operating system) is the
slave.
So, we have a complete operating system, running on an ARM processor,
without any exploit mitigation (or only very little of it), which
automatically trusts every instruction, piece of code, or data it receives
from the base station you're connected to. What could possibly go wrong?
[...]
--
Find the best InfoSec talent without breaking your
recruiting budget! Post a Job, $99 for 31 days.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
